Bluehost and other web hosting company sites found to be full of flaws

Independent researcher and bug-hunter Paulos Yibelo has identified four vulnerabilities at the web-hosting platform Bluehost and was found to contain multiple account takeover and information leak vulnerabilities. one of which is a “High” severity information leak through CORS misconfigurations that could allow attackers to steal personally identifiable information, partial payment details and tokens which can give access to hosted WordPress, Mojo, SiteLock and others.

The site is also vulnerable to account takeover because of improper JSON request validation CSRF, Man-in-the-middle attacks due to improper validation of CORS scheme and cross scripting on, according to the Yibelo’s recent blog post.

Yibelo tested four other web hosting companies and also found cross scripting and information disclosure vulnerabilities in Dreamhost,  information disclosure among other vulnerabilities in Hostgator and OVH, and account takeover and other vulnerabilities in iPage.

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.